Based on research in 2012 by a California-based Web app security company, 99 percent of tested Web apps used by both the public- and private-sector are vulnerable to attack.

Cenzic, a California-based Web application security company, released these findings in its February 2013 report, which also details why these vulnerabilities aren't getting better.

Technology is available to help developers test their software during development and production so creators understand the flaws before releasing these products to public- and private-sector customers, but budget constraints often prevent them from completing these assessments.

“Ultimately I’ve heard many stories of organizations saying they don’t even want us to scan their applications because they don’t have the budget to fix what they find,” said Scott Parcel, chief technology officer of Cenzic, which offers such a tool.

This alarming trend has continued for a while, according to the company, which also found that 99 percent of Web applications tested in 2011 had vulnerabilities, though one significant difference was in the median number of vulnerabilities found per application: 13 vulnerablities found in 2012, down from 18 in 2011.

Cenzic touts these findings as a warning to information security and application development personnel that hackers can easily exploit what’s built.

Vulnerabilities detected include the following:

Cross-site scripting (XSS) – 26 percent

Information leakage and session management – both 16 percent

Authentication and authorization – 13 percent

Cross-site request forgery – 8 percent

SQL injection – 6 percent

Web server version – 5 percent

Remote code execution – 5 percent

Web server configuration – 3 percent, and

Unauthorized directory access – 2 percent.

The report didn’t disclose the number of Web applications tested, and a Cenzic spokesperson wouldn’t disclose the number of apps tested for security and proprietary reasons – but the spokesperson stated that it was in the thousands. The report also states that Cenzic’s managed security team gathered the data during an analysis of applications in production.

Parcel said he feels that the public sector could play a role in fixing some of these problems, but he’s unsure if the government will act.

“Government efforts around cybersecurity [are] to try to invest in improving things for the whole country, not just for the government,” Parcel said, though he didn’t name any specific actions the government has taken or attempted. “And that, I see, is woefully mis-coordinated and really just not tackling the problem. They keep making all kinds of bold announcements, and then not doing much in the realm of Web application security.”

“The CTO of Cenzic is probably correct, but similar things could also be said on many other aspects of cybersecurity across most governments,” Lohrmann said via email. “I do agree that Web application security lags behind other security areas.”

But according to Lohrmann, the public sector is at a disadvantage when it comes to cybersecurity in general, and he referenced a 2012 study by Deloitte and NASCIO to support this point.

“As the NASCIO-Deloitte study indicates, state and local governments struggle to get the resources and buy-in to do a long list of ‘priorities," he said. "I don’t believe this is uniquely true of Web application security.”

If you enjoyed this post, subscribe for updates.

Comments

Add Your Comment

You are solely responsible for the content of your comments. GOVERNING reserves the right to remove
comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered
a personal attack.

Comments must be fewer than 2000 characters.

Name *

Email

Comment *

Reply to this Thread

You are solely responsible for the content of your comments. GOVERNING reserves the right to remove
comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered
a personal attack.

Get Management News

Want to keep up with the latest news, policies and practices that impact state and local governments? Get Governing's free, monthly Management and Public Workforce newsletters in your inbox. View Sample